A security vulnerability in a Java logging software called log4j is causing quite a stir. So much so, that the Tagesanzeiger gives the incident front page space. What exactly happened?
Software systems keep a log of events. We, the software engineers, determine which events should be recorded. We use it to measure the performance of the system or record error events. Therefore, the contents of the log often include data caused by the user, such as the web browser type or the operating system. These data points allow us to reproduce errors and fix them efficiently.
Whenever software takes user data, caution is advised. It could be a potential attack. The user data could cause damage (e.g. via "SQL injection"). Therefore, programmers have a duty to clean any data before processing it.
With the security hole in log4j it was now possible to inject foreign code into the logging system via user data. Instead of a predefined behavior (e.g. logging a data point) foreign code is executed, this is a remote code execution. Such attacks are usually quite complicated to execute. The one in log4j is perfidiously not: it was enough to rename your web browser to "${jndi:ldap://127.0.0.1:1389/ badClassName}".
Our customers have been spared this vulnerability because we only use Java (not to be confused with JavaScript) at Renuo for Android app development. There, other logging mechanisms are used instead of log4j. However, the scope of the vulnerability is huge, as log4j is otherwise the standard logging mechanism in the industry. It goes so far as to make even the Mars helicopter software vulnerable.
And let's not kid ourselves: It could have just as easily hit us. All we can do is try to prevent it. To that end, we have put the following measures in place at Renuo:
We use open source software. Issues are more likely to be found and can be fixed quickly.
We use software libraries that have a good usage distribution and a good test coverage. This increases the probability that the quality is good without us having to audit the code. An audit is enormously costly and never actually requested by our customers.
We donate 5% of our company profit to open source software we use. This way we enable bug bounty programs and paid audits.